Many corporate security awareness programs fail because there's no real motivation for employees to even care, according to Laura Bell, founder and chief executive officer of SafeStack.
"You can teach somebody the technical bits and pieces till you're blue in the face, whether it's electronically or in person, but unless you can get them to care about the why, you'll never see a change in their behaviour," Bell told ZDNet.
James Turner, security advisor with consulting firm IBRS and founder of CISO Lens, agrees. He says it's all about the organisation's staff engagement level.
"If you have a low engagement level with your staff, you're effectively saying, 'I want you to change your behaviours, and I know you don't give a s*** about the company, but do it anyway.' You're asking staff to behave completely altruistically for a company that they feel no connection with," Turner told ZDNet.
"If you're just going to be pumping out an awareness campaign and you've got low engagement, stop and let the HR people focus on engagement first."
Turner says some of the top security executives have started making security training a core part of the organisational change process by firstly training staff in personal e-safety. Topics include the privacy issues in using Facebook and communications platforms like WhatsApp, safe internet banking, and how to talk to their kids and teenagers about internet safety and cyberbullying.
"[These are] issues that are directly relevant to them in their home lives [and] their families," Turner said. That provides an opportunity for the HR team to start improving engagement.
"The company is going, 'We actually give a damn about you as a human being. This stuff is important. As much as we need you to change your behaviour here at work, we're recognising that we actually need you, as one of our valued staff, to be safe at home.'"
It's also important, however, that creating an awareness of the risks doesn't turn into fear mongering.
"It's the difference between recognising that you're driving a car, and that there's other moving objects and so on around you, and that there's a safety issue but you should be fine provided you understand what you're doing and what everyone else around you is doing," Turner said.
"We're interested in just making sure that you don't think that the internet is a bouncy castle where nothing's going to go wrong."
For Bell, it's also about storytelling, as well as the "click-less training" and the workplace posters that act as reminders. The stories have to tap into how people think and what they care about.
"I don't mean horror stories, because we're not the scariest monster in the room for most people. Security is a big problem, but it's not the only problem, and for most people it's not the worst, either," Bell said.
"For example, if I'm teaching technical developers, we'll be talking about, 'Well, let's look at this horror story of what happened, and let's not look at the scary part of it. Let's talk about it like a Hollywood movie. How would we have done this? Could we do this in here?"
It's an interactive process that becomes an engaging, creative process, rather than one that induces fear.
Or, as Turner explained it, "This entire thing about security awareness is all about education ... That's not new. We know how to do that. There's an entire world around that one."
Building resilience via company culture
Cybersecurity researchers have continually found that when it comes to building an organisation's cybersecurity resilience, cultural factors are more important than technical factors.
Sometimes it can be as simple as giving employees the cultural permission to ask a colleague for a second opinion, and reinforcing that doing so is a sign of taking care of the organisation, rather than a sign of weakness. Ask out loud, suggests the Australian government's Stay Smart Online program.
"Talking through your concerns out loud with someone else can reassure you and help to identify messages that may be fake before you click a malicious link or give away any personal information."
Another DST-Adelaide research team found that employees had better information security awareness skills if they were more personally resilient, and suffered less workplace stress. Organisational changes that reduce stress would of course have many other benefits besides improving security.
Research presented by the University of Otago in 2015 showed that when employees fell for a phishing attack, they were usually away from their desk, using mobile devices that didn't necessarily display the email in full. It usually happened outside business hours, too, either late at night when they were tired, or first thing in the morning when they were busy starting their household's daily routine.
"This expectation that we're going to ask people to work long hours, be on call to answer emails and queries at any time, has a huge downside, and that's about managing expectations," said Mark Borrie, the university's information security manager.
Turner says that IBRS has been explaining these attention issues to clients in terms of colour codes, a system adapted from Jeff Cooper's colour code for the combat mindset.
Under the IBRS version of the code, employees in condition White are "unaware and unprepared", probably oblivious to their actions and consequences, and potentially dangerous to themselves and the organisation.
You want your staff members to be operating at Yellow, says Turner, a "relaxed alert" state where employees are aware of their actions and their environment. Text, semantics, nuances of language, and sender information from an email that seems wrong will stand out, which pushes them to the Orange state.
Orange is a "specific alert", where something has got the employee's attention. The action of asking out loud puts both parties into the Orange state.
"You don't want them in Orange [continuously] because that's mentally exhausting. But Yellow, with training and practice you can maintain that for hours at a time," Turner said. Providing, that is, that staff members are taking breaks and doing "a lot of good occupational health and safety and ergonomic things" like standing up, going for a walk, and drinking water.
While an organisation's culture is a key to success, the content of security awareness training is still important.
Staff members need to understand what that technology means to the organisation, and how that organisation is winning -- or not -- by using that technology, according to Nigel Phair, director of the Centre for Internet Safety at the University of Canberra.
"Instead of saying users are our weakest link, which everyone says at every conference, I spin that around and say you are the greatest strength to the organisation when it comes to online security. You're the one that is the eyes and ears," Phair told ZDNet.
Staff members need to understand the reasons behind security decisions, and the relative risks involved in different transactions. They need to understand, for example, that while the data on a device might be encrypted, losing that device still means losing an expensive corporate asset.
According to CERT Australia critical infrastructure protection reports, around one in five cybercrime incidents are connected with an insider.
"Most of those were a silly insider, not a malicious insider. We want to stop that silliness," Phair said.
Programs need to help employees become aware of the accidental risks as well as the malicious ones, and according to Bell that's another cultural issue. It's not about secrets being written on whiteboards for all to see, but the assumption that bad things won't happen because everyone is a good person.
"That's a red flag for me, because there's a lot of reasons bad things happen in security," Bell said.
"Some of it is malicious intent. Some have gone rogue and decided they're going to become an evil genius, and great. But then there's also 'My toddler threw a shoe out of the window on my way to work in the morning and I'm just distracted today', or 'I'm dealing with s*** in my life and I'm not quite on my A game', or 'I'm actually a little bit nervous about this job because I don't really know how to do it well enough and I'm a bit too scared to ask'."
Or as an IBRS advisory paper says, "A disempowering message is more likely to result in either no behavioural change or, potentially, an undesirable change. Instead, security awareness programs should focus on helping staff develop and sustain the skills and knowledge required to execute on their work, and also maintain a mind state of 'relaxed alert'."
Disclosure: Stilgherrian receives payment from the Centre for Internet Safety for editorial work on their advisory newsletter DirectorTech.